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Abstract 



We demonstrate the feasibility of end-to-end communication in highly unreliable networks. 

Modeling a network as a graph with vertices representing nodes and edges representing the 

links between them, we consider two forms of unreliability: unpredictable edge-failures, and 

deliberate deviation from protocol specifications by corrupt nodes. 

fj . We present a robust routing protocol for end-to-end communication that is simultaneously 

resilient to both forms of unreliability. In particular, we prove rigorously that our protocol 

is secure against the actions of the corrupt nodes, achieves correctness (Receiver gets all of 

►^ ' the messages from Sender, in order and without modification), and enjoys provably optimal 

^1^ . throughput performance, as measured using competitive analysis. 

lO ' Furthermore, our protocol does not incur any asymptotic memory overhead as compared to 

\l . other protocols that are unable to handle malicious interference of corrupt nodes. In particular, 

^^ ' our protocol requires 0{n^) memory per processor, where n is the size of the network. This 

^^ . represents an 0(n^) improvement over all existing protocols that have been designed for this 

^^ ' network model. 

m 
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1 Introduction 

With the immense range of applications and the multitude of networks encountered in practice, 
there has been an enormous effort to study routing in various settings. In the present paper, we 
investigate the feasibility of routing in a "worst-case" network setting, that is, one in which neither 
the nodes of the network nor the links of the network are reliable. 

We adopt the same definition of unreliability (with respect to both the links and the nodes) 
as was introduced in |18|. For the network links, we do not assume any form of consistency: the 
topology of the network is dynamic (links may spontaneously fail or come back to life at any time) , 
transmission time across each link may vary from link to link as well as across the same link from 
one transmission to the next (i.e. asynchronous edges), and there is no guarantee that there are 
enough links available (even over time) for communication to even be possible. 

Meanwhile, unreliability with respect to the nodes will be defined to mean that nodes may 
actively and maliciously deviate from protocol specificiations, attempting to disrupt communication 
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as much as possible. In particular, we assume the presence of a malicious adversary that may corrupt 
an arbitrary subset of nodes in the network, taking complete control over them and coordinating 
attacks to interfere with communication between the uncorrupt nodes. 

Admittedly, few guarantees can be achieved by any protocol that is forced to operate in networks 
with so few assumptions. Indeed, the absence of any assumption on connectivity means that suc- 
cessful routing may be impossible, for instance if all of the links remain forever inactive. Therefore, 
instead of measuring the efficacy of a given protocol in terms of its absolute performance, we will 
employ competitive analysis to evaluate protocols: the throughput-performance of a given protocol 
with respect to the network conditions encountered will be compared to the performance of an 
ideal protocol (one that has perfect information regarding the schedule of active/inactive links and 
corrupt nodes, and makes perfect routing decisions based on this information). 

The combination of this strong notion of unreliability together with the use of competitive anal- 
ysis provides a meaningful mechanism to evaluate routing protocols in networks that demonstrate 
unreliability in unknown ways. For example, we are able to compare protocols that route in networks 
that are susceptible to all of the above forms of unreliability, but e.g. remain stable most of the time 
with respect to the edges (or alternatively e.g. most of the nodes remain uncorrupted) . Therefore, 
by allowing networks to exhibit all forms of unreliablity, we compromise absoulte performance for 
robustness. That is, no protocol will route packets quickly through a network that displays all forms 
of unreliability, but protocols with high competitive-ratio are guaranteed to do as well as possible, 
regardless of the actual network conditions. 

Our approach to the problem of routing in unreliable network settings will be from a theoret- 
ical perspective. We model both forms of unreliablity formally in Section |2l as well as providing 
formal definitions of security/ correctness, and the use of competitive analysis to measure throughput- 
efficiency. In Section |3] we present a protocol that is provably optimal with respect to throughput- 
efficiency, is provably secure, and requires reasonable memory of internal nodes. We emphasize that 
the focus of this paper is on the theoretical feasibility of routing in highly unreliable networks, and 
in particular no attempt has been made to minimize constants or prototype our protocol in live 
experiments. 

1.1 Previous Work 

Development and analysis of routing protocols relies heavily on the assumptions made by the 
network model. In this section, we explore various combinations of assumptions that have been 
made in recent work, highlighting positive and negative results with respect to each network model, 
emphasizing clearly which assumptions are employed in each case. Since our work focuses on the- 
oretical results, for space considerations we do not discuss below the vast amount of research and 
analysis of routing issues for specific network systems encountered in practice, e.g. the Internet. 
Even still, the amount of research regarding network routing and analysis of routing protocols is 
extensive, and as such we include only a sketch of the most related work, indicating how their 
models differ from ours and providing references that offer more detailed descriptions. 

End-TO-End Communication: While there is a multitude of problems that involve end-to-end 
communication (e.g. End-to-End Congestion Control, Path- Measurement, and Admission Control), 
we discuss here work that consider networks whose only task is to facilitate communication be- 
tween the Sender and Receiver. Some of these include a line of work developing the Slide protocol 
(the starting point of our protocol): Afek and Gafni p], Awerbuch et al. [12], Afek et al. [1], and 



Kushilevitz et al. |22| . The Slide protocol (and its variants) have been studied in a variety of net- 
work settings, including multi-commodity flow (Awerbuch and Leighton |11]). networks controlled 
by an online bursty adversary (Aiello et al. [4]), synchronous networks that allow corruption of 
nodes (Amir et al. [7j). Bunn and Ostrovsky consider in [18j an identical network model to the 
one considered in the present paper, and prove a matching upper and lower bound on optimal 
throughput performance (in terms of competitive ratio) for this model. However, the mechanisms 
they employ to handle malicious activity is extremely expensive (in terms of memory); indeed an 
open problem posed in [18j was whether a protocol can achieve security against malicious nodes at 
no extra (asymptotic) cost with respect to memory. We answer this question affirmatively in this 
paper, presenting a protocol that reduces memory requirements by a factor of n^ (from &{n'^) to 
G(n^), for networks with n nodes). 

Fault Detection and Localization Protocols: There have been a number of papers that 
explore the possibility of corrupt nodes that deliberately disobey protocol specifications in order 
to disrupt communication. In particular, there is a recent line of work that considers a network 
consisting of a single path from the sender to the receiver, culminating in the recent work of Barak 
et al. |13) (for further background on fault localization see references therein). In this model, the 
adversary can corrupt any node (except the sender and receiver) in an adaptive and malicious man- 
ner. Since corrupting any node on the path will sever the honest connection between sender and 
receiver, the goal of a protocol in this model is not to guarantee that all messages sent are received. 
Instead, the goal is to detect faults when they occur and to localize the fault to a single edge. 

Goldberg et al. |20j show that a protocol's ability to detect faults relies on the assumption that 
One- Way Functions (OWF) exist, and Barak et al. |13| show that the (constant factor) overhead (in 
terms of communication cost) incurred for utilizing cryptographic tools (such as MACs or Signature 
Schemes) is mandatory for any fault-localization protocol. Awerbuch et al. [lOj also explore routing 
in the Byzantine setting, although they do not present a formal treatment of security, and indeed a 
counter-example that challenges their protocol's security is discussed in the appendix of |13] . 

Fault Detection and Localization protocols focus on very restrictive network models (typically 
synchronous networks with fixed topology and some connectivity assumptions), and throughput- 
performance is usually not considered when analyzing fault detection/localization protocols. 

Competitive Analysis: Competitive Analysis was first introduced by Sleator and Tarjan [26] as a 
mechanism for measuring the worst-case performance of a protocol, in terms of how badly the given 
protocol may be out-performed by an off-line protocol that has access to perfect information. Recall 
that a given protocol has competitive ratio 1/A (or is X- competitive) if an ideal off-line protocol has 
advantage over the given protocol by at most a factor of A. 

One place competitive analysis has been used to evaluate performance is the setting of distributed 
algorithms in asynchronous shared memory computation, including the work of Ajtai et al. J6]. This 
line of work has a different fiavor than the problem considered in the present paper due to the na- 
ture of the algorithm being analyzed (computation algorithm verses network routing protocol). In 
particular, network topology is not a consideration in this line of work (and malicious deviation of 
processors is not considered). 

Competitive analysis is a useful tool for evaluating protocols in unreliable networks (e.g. asyn- 
chronous networks and/or networks with no connectivity guarantees), as it provides best-possible 
standards (since absolute performance guarantees may be impossible due to the lack of network 
assumptions). For a thorough description of competitive analysis, see |15] . 



Max-Flow and Multi- Commodity Flow: The Max-flow and multi-commod- ity flow models 
assume networks that are synchronous with connectivity /liveness guarantees and have incorrupt- 
ible nodes (max-flow networks also typically have fixed topology and are global-control: routing 
protocols assume nodes can make decisions based on a global-view of the network; as opposed to 
only knowing what is happening with adjacent links/nodes). There has been a tremendous amount 
of work in these areas, see e.g. Leighton et al. |23) for a discussion of the two models and a list of 
results, as well as Awerbuch and Leighton [11] who show optimal throughput-competitive ratio for 
the network model in question. 

Admission Control and Route Selection: The admission control/route selection model dif- 
fers from the multi-commodity flow model in that the goal of a protocol is not to meet the demand 
of all ordered pairs of nodes (s, t), but rather the protocol must decide which requests it can/should 
activate, and then designate a path for activated requests. There are numerous models that are con- 
cerned with questions of admission control and route selection: The Asynchronous Transfer Model 
(see e.g. Awerbuch et al. [9j), Queuing Theory (see e.g. Borodin and Kleinberg |16) and Andrews 
et al. [5]), Adversarial Queuing Theory (see e.g. Broder et al. |17| and Aiello et al. [5]). For an 
extensive discussion about these research areas, see [25] and references therein. 

The admission control/route selection model assumes synchronous communication and incorrupt- 
ible nodes and makes connectivity /liveness guarantees. Among the other options (fixed or dynamic 
topology, global or local control), each combination has been considered by various authors, see the 
above reference for further details and results within each specific model. 

1.2 Our Results 

In this paper, we consider the feasibility of end-to-end routing in highly unreliable networks, 
where unreliability is encountered both with repect to the edges of the network as well as the 
nodes. In particular, we consider asynchronous networks with dynamic topology and no connectivity 
guarantees; comprised of nodes that are susceptible to corruption and may deviate from protocol 
specifications in a delibirately malicious manner. 

We present a protocol that routes effectively in such a network setting, guaranteeing correct- 
ness with low memory burden per node. Furthermore, we use competitive analysis to evaluate the 
throughput-efficiency of our protocol, and demonstrate that our protocol achieves optimal through- 
put. Our protocol therefore represents a constructive proof of the following theorem: 

Theorem 1.1. Assuming Public-Key Infrastructure and the existence of a group-homomorphic en- 
cryption scheme, the protocol presented in Sectionl^is correct in a distributed asynchronous network 
with bounded memory and dynamic topology (and no connectivity assumptions), even if an arbitrary 
subset of malicious nodes deliberately disobey the protocol specifications in order to disrupt commu- 
nication as much as possible. Furthermore, this protocol achieves optimal competitive-ratio 1/n. 

As mentioned in Section II. Ij our protocol solves an open problem from jTB], which was to 
provide provable security (while maintaining optimal throughput) at no additional cost (in terms of 
required processor memory) over protocols that do not provide security against corrupt nodes. In 
this paper, we introduce novel techniques that enables our protocol to do exactly this: we reduce the 
memory burden of internal nodes frorro ©(n"^) to 0(n^), which matches the memory requirements 
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of a corresponding (insecure) protocol of [ij. We provide here a brief overview of the new insights 
that enabled us to achieve this reduction. 

It will first help to understand why the overhead of 0(n^) for memory per node in [TS] was 
necessary to protect against malicious behavior. We note that while the protocol of [ISj (as well 
as the protocol presented in Section [3] below) both provide correctness in the presence of malicious 
nodes that may deviate from the protocol in any manner, it is useful to consider a specific form 
of misbehavior to motivate where the @{n^) comes from. Consider a strategy of corrupt nodes 
to limit throughput by replacing valid packets with junk packets, so that the Receiver does not 
get many valid packets. Since our protocol (as with the protocol of [18j) has the Sender sign all 
packets before inserting them into the network, honest nodes will never accept packets that are not 
properly signed. However, malicious nodes may follow all protocol specifications except that they 
replace (new) packets that they receive with (old) packets that they received earlier, thus effectively 
deleting all the new packets that the Sender inserts and ensuring the Receiver only gets a limited 
number of (distinct) packets. 

The protocol of [18j countered this packet-replacement strategy by having each node maintain 
a signed transaction with each of its neighbors, recording the number of times every packet was 
passed between each adjacent neighbor. While it is demonstrated in |18) that this mechanism will 
successfully identify a corrupt node that employs the packet-replacement strategy (if malicious node 
N replaces packet p with p', then the neighbors of A^ will be able to demonstrate that the net number 
of times A^ received p is strictly greater than the number of times A^ sent p; and vice- versa for p'), 
this mechanism was extremely costly in terms of required memory: Each node had to remember, 
for every packet p it encountered, the number of times it sent /received p along each of its adjacent 
edges. For networks with n nodes, since there were 0(n^) relevant packets and a node may have 
G(n) neighbors, the memory burden of storing this transaction information was 0(n^). Not only did 
this large memory complexity mean the protocol of |18| was unlikely to be feasibly implemented in 
practice, it was also the case that the cost of n^ for storing the transaction history (for the purpose 
of identifying corrupt behavior) far out-weighed the per-node memory costs of the data packets 
being transferred (n^), so the memory resources were being consumed by network monitoring as 
opposed to routing. 

The present paper overcomes both of these issues, reducing the overall memory burden to 0(n^), 
as well as allocating the majority of resources to routing instead of monitoring. In order to achieve 
this, we had to abandon the idea of tracking each individual packet, and develop a novel technique to 
address packet-replacement. We began by generalizing the strategy of having every node maintain- 
ing a signed transaction history for every packet p exchanged between its neighbors: We partition 
the D = B(n^) packets to be sent into K sets {Si, . . . ,Sk} of size D/K (K will be a parameter, 
whose value will be optimized later), and then we have nodes record transaction information with 
their neighbors on a pei-set basis rather than a pei-packet basis. So for example, if packet p £ S is 
transferred between two nodes, both nodes will simply record that some packet in S was transferred 
between them, but not the specific packet. In this way, if a malicious node replaces a packet p £ S 
with a packet p' G S', then the Sender can identify this node via the per-group transaction history 
if and only ii S ^ S' . 

With this generalization, we see that as K varies in [1,-D], there is a trade-off in the memory 
burden of storing the transactions and the probability of protecting against packet-replacement. 
At one extreme, setting K = D reduces our generalization to the protocol of |18| . and packet- 
replacement can be detected with probability one and memory cost Q{nD). At the other extreme. 



setting K = 1 means that each node is recording the total number of packets sent /received across 
each edge, and so the memory burden is only Q{n) (each node stores only one quantity per adjacent 
edge), but the probability that the transaction reports can identify a node that is performing packet- 
replacement is zero, since the per-set transactions do not distinguish any packet from any other if 
all packets belong to the same set. For intermediate values of K, the memory burden of the per- 
group transactions is Q{nK); but K^s affect on the probability of identifying a corrupt node that 
is performing packet-replacement depends on the specifics of the protocol and the manner in which 
the node is performing packet-replacement. The primary technical achievement of this paper was 
in developing a mechanism that guarantees that any packet-replacement strategy performed by 
malicious node(s) will succeed only with negligible probability, even for values of K that keep the 
memory burden low. 

We achieve this by first using error-correction to ensure that our protocol is robust enough to 
handle minor amounts of packet-replacement and still transmit messages, so that in order to impede 
communication via the packet-replacement strategy, a large number of packets must be replaced. 
Next, we observe that if a malicious node replaces a packet p G S with p' € S', then if the choices 
of p and p' are uniformly random (among the D total packets), then the probability that S = S' 
is roughly 1/K. By using cryptography, we are able to obfuscate the partitioning of packets into 
sets in a manner that is invisible to all nodes except the Sender, and we demonstrate how this 
reduces any adversarial strategy of packet-replacement to the uniform case of replacing one packet 
with a randomly chosen second packet. With this reduction in hand, it becomes a straightforward 
probabilistic analysis for choosing an appropriate value for the parameter K so as to minimize 
memory burden and still guarantee (with negligible probability of error) that packet-replacement 
will be detected. Details of the protocol and this analysis can be found in Section [3l 

2 The Model 

In this section, we describe formally the model in which we will be analyzing routing protocols. 
The network is viewed as a graph G with n vertices (or nodes) , two of which are designated as the 
Sender and Receiver. The Sender has a stream of messages {mi,m2, ■ ■ ■} that it wishes to transmit 
through the network to the Receiver. 

We model asynchronicity in our network via an edge-scheduling adversary A that controls the 
edges of the network as follows. Define a round to consist of a single edge E{u,v) in the network 
(chosen by the adversary) being activated: 

1. If ^ has at least one packet from u to be sent to v, then A delivers exactly one of them (of 
^'s choosing) to v; the same is done for one packet from v to u 

2. After seeing the delivered packet, u (resp. v) chooses the next packet to send v (resp. n), and 
gives this to A (this packet will be stored by A until the next time E{u, v) is activated) 

If u does not have a packet he wishes to send v in Step (2), then u can choose to send nothing (as 
is true for v). Similarly, the Adversary does not send anything to v in Step (1) if he is not storing 
a message from u to v during round E{u,v). 

Aside from obeying the above specified rules, we place no additional restriction on the edge- 
scheduling adversary. In other words, it may activate whatever edges it likes (this models the fact 
our network makes no connectivity assumptions), wait indefinitely long between activating the same 
edge twice (modeling both the dynamic and asynchronous features of our network), and do anything 



else it likes (so long as it respects steps (1) and (2) above each time it activates an edge) in attempt 
to hinder the performance of a routing protocol. 

For ease of discussion, we assume that all edges in the network have a fixed bandwidth/capacity, 
and that this quantity is the same for all edges in the network. We emphasize that this assumption 
does not restrict the validity of our claims in a more general model allowing varying bandwidths, 
but is only made for ease of exposition. 

In addition to the edge-scheduling adversary, our network model also allows for a polynomially 
bounded node-controlling adversary to corrupt the nodes of the network. The node-controlling ad- 
versary is malicious, meaning that he can take complete control over the nodes he corrupts and force 
them to deviate from any protocol in whatever manner he likes. We further assume that the node- 
controlling adversary is adaptive, which means he can corrupt nodes at any stage of the protocol, 
deciding which nodes to corrupt based on what he has observed thus far. We do not impose any 
"access-structure" limitations on the node-controlling adversary: he may corrupt any nodes it likes 
(although if the Sender and/or Receiver is corrupt, secure routing between them is impossible). We 
will say a routing protocol is correct if the Receiver eventually gets all of the messages sent by the 
Sender, in order and without duplication or modification. 

The separation of the two adversaries (edge-scheduling and node-controlling) into two distinct 
entities is solely for conceptual purposes to emphasize the nature of unreliability in the edges verses 
the nodes. For ease of discussion, we will often refer to a single adversary that represents the 
combined efforts of the edge-scheduling and node-controlling adversaries. 

Finally, our network model is on-line and distributed, in that we do not assume that the nodes 
have access to any information (including future knowledge of the adversary's schedule of activated 
edges) aside from the packets they receive during a round they are a part of. Also, we insist that 
nodes have bounded memory which is at least ri(n^)o 

Our mechanism for evaluating the throughput performance of protocols in this network model 
will be as follows: Let /^ : N — )• N be a function that measures, for a given protocol V and 
adversary A^ the number of packets that the Receiver has received as a function of the number of 
rounds that have passed. Note that in this paper, we will consider only deterministic protocols, so 
/p is well-defined. The function /^ formalizes our notion of throughput. 

We utilize competitive analysis to gauge the throughput-performance of a given protocol against 
all possible competing protocols. In particular, for any fixed adversary A^ we may consider the ideal 
"off-line" protocol V' which has perfect information: knowledge of which nodes are corrupt and all 
future decisions of the scheduling adversary. That is, for any fixed round x, there exists an ideal 
off-line protocol 'P'(^, x) such that /^/(x) is maximal. 

Definition 2.1. We say that a protocol V has competitive-ratio 1/A (respectively is A-competitive) 
if there exists a constant k and function g(n,C) (C is the memory bound per node) such that for 
all possible adversaries A and for all x G No 

/#.(x) < {k- \) ■/#(x) + g{n,C) (1) 

Note that while g may depend on the size of the network n and the bounds placed on processor 
memory C, both g and k are independent of the round x and the choice of adversary A. Also, we 
demand that the ideal protocol V' never utilizes corrupt nodes, once they have been corrupted. 
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We assume a Public-Key Infrastructure (PKI) that allows digital signatures. In particular, before 
the protocol begins we choose a security parameter sufficiently large and run a key generation 
algorithm for a digital signature scheme, producing n = \G\ (secret key, verification key) pairs 
{sku,vku)- As output to the key generation, each processor u G G is given its own private signing 
key sku and a list of all n signature verification keys vk^ for all nodes v G G. In particular, this 
allows the Sender and Receiver to sign messages to each other that cannot be forged (except with 
negligible probability in the security parameter) by any other node in the system. 

We also assume the existence of a homomorphic encryption scheme iS on a group Q, whereo 
\Q\ = Q{n'^). To simplify the exposition, in what follows we will assume Q = Zijy for sufficiently 
large A^. We note that such a scheme exists under most of the commonly used cryptographic as- 
sumptions, including /actorin^' [2?], discrete log [19], quadratic residuosity [21], and subgroup decision 
problem [14J. We extend our encryption scheme to Z,fj in the natural way: 

£: Zn X ■■■ xZn ^ T-Lx ■■■ xn via £{gi, . . . ,gk) := {£(91), . . . ,£igk)) 

Finally, we assume that internal nodes have capacity C G Q{n'^) (and in particular G > 24n^), 
and that the capacity on each edge, i.e. the number of bits that can be transferred across each edge 
in a single round, is Q{k'^ + logn). 

3 Routing Protocol 

In this section we present a routing protocol that enjoys competitive-ratio 1/n with respect 
to throughput in networks modelled as in Section |2l which is optimal [18]. We give an overview 
of the various components and an abbreviated description of the protocol in Section 13.11 (due to 
space constraints, pseudo-code and technical details appear in the Appendix). The analysis of our 
protocol, including a proof of its security against the combined efforts of the node-controlling and 
edge-scheduling adversaries, can be found in Section [3.21 



3.1 Description of the Routing Protocol 

The starting point of our protocol will be the Slide Protocol, introduced by Afek et at. [3], 
and further developed in a series of works: [12], [T], |22) . [7], and |18) . The original Slide protocol 
assumes that nodes have buffers (viewed as stacks) able to store C = B(n^) packets at any time. 
Loosely speaking, the Slide protocol works by creating a flow of packets from Sender to Receiver 
in the following manner: Assume for the moment there is a relatively stable network topology, in 
which case nodes "near" the Sender will tend to have relatively full buffers, while nodes near the 
Receiver will have relatively empty buffers. Therefore, when the Sender introduces a packet into 
the network, the packet will start with a large "potential," i.e. it will be stored at the top of a 
relatively full buffer. The transfer rules of Slide dictate that a packet can only travel from one node 
to another if the latter node is currently storing fewer packets. This can be viewed as pressure 
forcing the packet to flow downhill and hence decreasing the packet's potential. The Slide protocol 
was motivated by this guiding principle. 

An important detail of Slide (as well as our protocol) involves the use of error- correction to 
account for packets that get stuck in the buffer of a node that became isolated from the rest of the 
network due to edge- failures. In particular, the initial stream of messages are divided into message 
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blocks of size @{nC) = 0(n'^). Each message block is then expanded into a codeword consisting of 
D = Q{n^) packets. The Receiver can decode the codeword and obtain the original message block 
provided he receives a constant fraction of the codeword packets. 

Our protocol modifies the original Slide protocol to provide security against a node-controlling 
adversary at no additional (asymptotic) cost: competitive-ratio of throughput remains optimal 
(1/n), and the memory per internal node is within a factor of two of the memory requirement of 
the original Slide protocol. 

Recall from Section |2] that our network model dictates that edges in the network are activated 
one at a time by the scheduling adversary. A brief description of our protocol, which describes what 
a node u does when it is adjacent to an edge E{u, v) that is activated, can be found in Figure [T] 
below (a full description of the protocol via pseudo-code can be found in Appendix lA)) . 



Routing Rules for node u along E{u, v) 

# Notation: p is a packet, g is a packet of control info, iTu(-) is n's sig., <I>u is m's potential drop 
Input: 
H', (pj cr^p')), {q[, cr^gi)), {q'2, cr„'(g2)), i'^x',(^x'i'^x'))## Received From v (via A) 
H, {p, o-„(p)), (gi, cr„(gi)), (g2, cr„(g2)), {^x, c^x{^x)) ## Prev.veq.u sent v (via A) 
DO: 
Store control info, in (g2, o-„'(g2)) and {^x' ,o'x'{^x')) (if properly signed) 
If Ready is true: 
If u is the Sender: ## (Sender) Insert Packet 

li H' < C — n: Update control info, to reflect p was inserted; 
Else If u is the Receiver: ## (Receiver) Receive Packet 

If H' > n: Update control info, refecting p was successfully received 
Else li H > H' + C/2n - 2n: ## Send Packet 

Delete {p, asip)), and update control info, along E{u,v) reflecting transfer of p 
Else li H < H' - C/2n + 2n: ## Receive Packet 

Store (pj as(p')), and update control info, along E{u,v) reflecting transfer of p 
Send to 11 (via A) the packets from Select Packets to Send 
Ready 

Return True if the following are satisfied, else Return False: 
u and V are not blacklisted or eliminated 

u has received all the required control info, from Sender for the current trans. 
The control information gi matches gi and is properly signed by v via crt,(gi) 

Select Packets to Send 

(p, CTu(p)): u selects p w/ highest height that is not in an outstanding req. to A 

Current height H of u's buffer 

Control Packet: (gi, cr(gi)) containing updated info, about packet transfers &\ongE{u,v) 

Potential Packet: (<l>a;,o"a;($a;)), where ^x represents the potential drop at x 

Status Packet: (g2, o"iu(g2)) from S/i? OR Testimony Packet signed by node w whose testimony it is 



Figure 1: Succinct Description of Packet Transfer Rules of Our Protocol 

It remains to explain exactly what kind of data comprises the control information, and the rules 
governing the transfer of this information through the network to the Sender (notice the packets gi, 
52 , and $ being transferred in Figure [T]) , who is responsible for assimilating the control information 
and using it to identify a corrupt node that has been disobeying protocol specifications. 

Nature of Control Information. There are four forms of control information: (a) Status infor- 
mation originating from the Sender regarding the blacklist (described below) or from the Receiver 
indicating the status of the current message transmission; (b) Information pertaining to the current 
codeword transmission, containing (signed) information about the packet transfers between a node 
and its neighbor; (c) Information pertaining to prior transmissions, used by the Sender to determine 
the actions of each node in the relevant transmission; and (d) Information pertaining to a node's 
cummulative potential drop (described below). Note that the control information in (b) is cummu- 



codeword packets an integer value in [1,/c]. Define the distribution x '■ D ^- Z^ to represent these 
assignments; i.e. if packet p has been assigned value i G [1, A;], then x{p) is the unit vector in Z^ 



lative, representing quantities (described below) that are continually updated each time a packet 
is transferred between two nodes, and this control information is stored locally by a node and its 
neighbor. Meanwhile, the control information in (c) represents the final values that the quantities 
in (b) had at the end of the relevant transmission, and this information (along with types (a) and 
(d)) is relayed to all nodes in the network (and ultimately collected by the Sender and/or Receiver). 

To distinguish the four types of control information, we will refer to information of type (a) as 
status packets, type (b) as control packets, type (c) as testimony packets, and type (d) as potential 
packets. Notice from Figure [T] that one control packet, one potential packet, and either one status 
packet or one testimony packet can be transferred every time an edge is activated. 

Control and Testimony packets consist of two types of quantities on each edge: 

CI-1. The net potential drop ^u,v (defined below) across adjacent edge E{u,v) 

CI-2. The cummulative sum Yln^ixip)) of every packet p transferred across the adjacent 

edge E{u, v) (described below) 

The potential drop in CI-1 is defined to be the difference in the heights (always measured as a 
positive quantity) between two adjacent nodes during each round that a packet was transferred; 
i.e. \H' — H\ in Figure [TJ Note that whenever a node u sends $„ to a neighbor, it will compute 

As for CI-2, recall from Section [2] the existence of a homomorphic encryption scheme £ on Z^. 
At the start of each codeword transmission, the Sender will randomly assign each of the D = ©(n^"* 

7k 

unit vector in Z^y 

with a '1' in the i''^ coordinate. Note that only the Sender knows Xi as the internal nodes only see 
encrypted values £{xip)) that are formed by the Sender. 

All communication is signed to ensure authenticity. In particular, each packet p is signed by 
the Sender, and this signature, together with the quantity £{xip)), accompany the packet until it 
reaches the Receiver. This signature prevents corrupt nodes from modifying packets or introducing 
junk packets. Also, all parts of the control information between two nodes are signed by both nodes. 

Failed Transmissions and the Blacklist. The routing rules presented in Figure [1] describe how 
nodes route packets within a single message (codeword) transmission. We briefly describe how/ when 
the transmission of one message ends and the next begins, and what happens in between. 
The end of each transmission is marked by one of the following four events: 

SI Sender gets a message indicating Receiver decoded the current codeword 

F2 Sender learns there were inconsistencies in potential differences 

F3 Sender inserted all (current) codeword packets (and SI did not occur) 

F4 Sender is able to identify a corrupt node 
In the case of SI, the codeword was delivered successfully, and the Sender will begin inserting packets 
corresponding to the next codeword. In the case of F4, the Sender will eliminate the identified node 
(i.e. alert all nodes to never trust or utilize the corrupt node again), and begin anew transmitting 
packets of the current codeword. The other two cases correspond to failed attempts to transfer the 
current codeword due to corrupt nodes disobeying protocol rules, and in both cases the Sender will 
use testimony packets to identify a corrupt node. 

In cases F2 and F3, the Sender will begin anew transmitting packets corresponding to the current 
codeword. Before nodes are allowed to participate in transferring the codeword packets, they must 
first learn that the last transmission failed and the Sender must receive the node's testimony packets 



for that transmission^ Until the Sender has received all of a node's testimony for a given failed 
transmission, that node will be put on the blacklist: No honest node u will transfer any codeword 
packets to another node v until u obtains verification from the Sender that the Sender has received 
w's complete testimony (see e.g. the conditions under which Ready returns true in Figure[T|). Notice 
that testimony packets are routed back to the Sender as described via 52 in Figure [1] 

At the start of each message transmission, the Sender will create the Start of Transmission 
Message, which consists of a list of eliminated nodes and of blacklisted nodes (and the transmission 
index for which each blacklisted node was placed on the blacklist). During a message transmission, 
if the Sender receives all of the missing testimony packets for a blacklisted node, the Sender will 
create a single packet indicating this node should be removed from the blacklist. Also, if the Sender 
receives a testimony packet that allows him to identify a corrupt node, the Sender will immediately 
end the transmission as in F4 (described above) . Note that the Start of Transmission Message and 
the packets indicating a node should be removed from the network fall under the "status packets" 
category of control information (type (a)), and appear in the routing rules of Figure [T] as 52- 

Finally, if the Receiver is able to decode the current codeword, or if the Receiver notices incon- 
sistencies from the potential packets {$,i}, then the Receiver forms a single packet indicating this 
fact. This packet is routed back to the Sender as described via ^2 in Figure [U and once received, 
the Sender will end the current message transmission either as in Case SI or F2 (as appropriate). 

3.2 Analysis of the Routing Protocol 

In this section we present proofs regarding the correctness of our protocol, its memory require- 
ments, and its competitive-ratio with respect to throughput. 

Theorem 3.1. The protocol described in Section\3\ requires at most 0{n^P) bits of memory of the 
internal nodes. 

Proof. We break down the memory cost of each component of the protocol. First, a node must 
store up to C = 0(n^) codeword packets of size @(P). In terms of control information, at any 
time a node must store: At most 2n status packets; at most n control packets; at most n^ testimony 
packets; and at most n potential packets. Adding these contributions, each internal node stores up 
to 0{n^P) bits. ■ 

Note that the original Slide protocol also requires memory 0(n^P), and so our protocol allows 
for additional security against the node-controlling adversary without increasing the (asymptotic) 
memory burden placed on the nodes. 

Proof of Theorem \l.l[ Recall that correctness means that the Receiver gets the (unaltered) messages 
sent by the Sender in-order. The integrity of the messages received by the Receiver is assured 
(with all but negligible probability in the security parameter) by the fact that the Sender signs all 
messages, and no (honest) node (and in particular the Receiver) ever accepts a packet that does 
not have a valid signature. The fact that messages arrive in order follows from our protocol's use 
of error-correction (which allows for some codeword packets to arrive out of order and/or get lost 



Recall that "testimony packets" refers to control information of type (c), and it consists of all of the signatures on 
the control information CI-1 and CI-2 that the node was storing from its neighbors for the transmission in question; 



i.e. the final values of the "control packets" (control information of type (b)). 
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in transmission), and the fact that the Sender repeats all codeword transmissions for transmissions 
that failed as in Case F2-F4. 

That our protocol achieves competitive-ratio 1/n follows immediately from Lemma 13.21 below. 
Recall from Definition 12.11 that competitive analysis evaluates the throughput performance of a pro- 
tocol by comparing it to an ideal, off-line protocol. To set notation, for any x E N, let (A{x),V'{A)) 
denote the adversary/off-line protocol pair for which we compare our protocol V. 

Lemma 3.2. If at any timeV' has received Q{xn) messages, thenV has received Q{x—n^) messages. 

Proof. Lemma [3.51 below states that for all successful transmissions, our protocol is within a factor 
of n of the throughput performance of the off-line protocol V' . Meanwhile, Lemma [3. 31 below states 
there are at most v? failed transmissions (F2-F4), and Lemma [33] states that in these transmissions, 
the ideal off-line protocol V' can deliver at most 0{n) messages (since messages consist of 0(nC) 
packets). Therefore, the ideal off-line protocol can deliver at most 0{n^) messages during failed 
transmissions. Note that the extra (at most) 0{n^) messages that the off-line protocol delivers do 
not affect competitive-ratio, as they can be absorbed in the additive term g[n, C) for competitive- 
ratio (see Definition 12. ip . 

Lemma 3.3. There are at most v? failed transmissions (Cases F2-F4-). 

Proof. The main idea in bounding the number of failed transmissions is to argue that the Sender 
will be able to eliminate a corrupt node if he has the complete testimonies from every node that 
participated in some failed transmission. Case F4 occurs when a corrupt node is eliminated, which 
can happen at most n = |G| times. 

Bounding the number of times F2 and F3 can occur is done in two parts: first we prove that 
there can be at most n — 1 failed transmissions before the Sender necessarily has the complete 
testimonies from all nodes who participated in one of those failed transmissions (Lemma IB.2p . 
Next we argue that the Sender can necesarily identify (and eliminate) a corrupt node if he has the 
complete testimony of all nodes who participated in a failed transmission (Lemma 13. 4p . 

The intuition for how the testimonies allow the Sender to identify a corrupt node for a failed 
transmission F2 or F3 is as follows. A transmission fails as in Case F2 when a corrupt node is 
transferring packets against transfer rules (e.g. from smaller heights to larger heights, or when 
a corrupt node is duplicating packets). Both of these can be detected by looking at the node's 
communication with each of its (honest) neighbors, who have recorded the height differences caused 
by each packet transfer. So for transmissions that fail as in Case F2, the Sender will look for a node 
whose cumulative height drop is negative (this information is available through the CI- 2 signed 
communications). Meanwhile, when a transmission fails as in case F3, there is a corrupt node that 
is deleting packets. The Sender can identify such a node u when he has received each of the signed 
communications (CI-1) from each of u's (honest) neighbors. 

We state and sketch the proof of Lemma 13.41 below; for space constraints the statement and 
proof of Lemma IB. 2! is in Appendix [B] ■ 

Lemma 3.4. Suppose transmission T failed as in Case F2 or F3, and at some later time (after 
T hut before any additional nodes have been eliminated) the Sender has received all the testimonies 
packets from all nodes that were not blacklisted during T. Then the Sender can eliminate a corrupt 
node. 

Proof. (Sketch) Note that since codewords contain D = nC /\ packets (where A is the error-rate of 
the code), if the Sender has inserted all D codeword packets, then the Receiver should have been 
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able to decode the message, even if every internal node's buffer is full; i.e. D — [n — 2)C > (1 — X)D. 
Therefore, if a transmission fails as in Case F3, there is necessarily a corrupt node that is deleting 
packets (or equivalently, storing more packets than it is allowed to). With all of the testimony 
packets (and more precisely the information stored in CI-2), the Sender can identify such a node u: 
u's neighbors will have proof that they transferred a collection of packets to u, and yet u will not 
be able to demonstrate it forwarded these packets on to other nodes. 

Meanwhile for Case F2 since we are not in Case F3, the Sender inserted fewer than D packets for 
these transmissions. In particular, the amount of potential "injected" into the network via insertions 
by the Sender is less than CD (since packets are inserted into some internal node's buffer at height 
at most C). Meanwhile, the cummulative potential drop caused by packet transfers exceeds CD 
(this is the formal definition of Case F2, see line 15 of the pseudo-code in Figure A. 6 in Appendix 
lAJ which describes Case F2 precisely). Since the potential drop exceeds the amount of potential 
increase caused by insertions, there is a corrupt node u that will have inconsistencies with respect 
to the potential changes caused by packet transfers with all of its neighbors, and the Sender can 
identify u with all of the testimony packets (and more precisely the information stored in CI-1). 

Rigorous proofs for these two cases are provided in Lemmas IB. 31 and IB. 41 ■ 

Lemma 3.5. In any transmission (regardless of the reason SI or F2-F4 that the transmission 
ended), the ideal off-line protocol can deliver at most @{n'^C) packets. If the transmission was suc- 
cessful (as in SI), then our protocol successfully delivered a message of Q{nC) packets. 

Proof. (Sketch). This lemma is proven formally in Lemma [B. II in Appendix[Bl The second statement 
of the lemma is immediate: messages have D=nC / \=Q{nC) packets, and transmissions end as in 
SI when the Receiver decodes the message. 

The first statement involves showing that regardless of the reason a transmission ends (SI or 
F2-F4), the ideal off-line protocol can have successfully delivered at most \QnD packets. The proof 
proceeds by imagining a virtual world in which the ideal off-line protocol V' and our protocol V are 
run simultaneously in two identical networks. We then show that every message transmission of V 
will necessarily end as in F2 (if it has not already ended as in SI, F3, or F4) by the time V' has 
delivered 16n-D = Q{v?C) packets. 

Intuitively, the proof argues that because the ideal protocol V' is restricted to using honest 
nodes, if V' is ever able to deliver IQnD packets, then the path of each packet en route from Sender 
to Receiver necessarily consists solely of honest nodes. We partition each of these IQnD packets 
into two sets: (i) Packets p' for which there was at least one round in which V' transferred p' and V 
also transferred a packet during this round; and (ii) Packets p' that were never transferred by V' in 
the same round as when V transferred a packet (recall that we are viewing V' and V as operating 
simultaneously). We argue that regardless of how the IQnD packets split between (i) and (ii), F2 
has necessarily happened. 

Suppose first that there have been Q{nD) packets falling in Case (i). Then for the guaranteed 
round E{u,v) in which V transferred a packet at the same time as one of the Q{nD) packets, $„ 
and <I>j, will increase by at least \Hu-IIv\>n (see Fig.[Tl and note Hg—C since the Sender's buffer is 
always full and that Hr=0 since the Receiver's buffer is always empty). As the 16nD packets pass 
through the network to the Receiver, the quantities {$«} are passed as well, and the Receiver will 
have stored values for {^u} satisfying: X^^gg-^u £ &{n?D), which is the condition that indicates 
to the Receiver there have been "inconsistencies in potential differences" causing failure as in F2 
(see line 15 of Fig. A. 6). 



12 



On the other hand, suppose that there have been Q{nD) packets falhng in Case (ii). For each 
such packet p' , notice that this imphes that when V' transferred p' from the Sender to some node u, 
it must be the case that u's buffer had height with respect to V satisfying Hu > C — n (otherwise, 
our protocol would have transferred a packet this round, and so p' is not in Case (ii); see Figure [T|). 
Similarly, when V' transferred p' from some node v to the Receiver, it must be that v's buffer had 
height with respect to V satisfying H^ < n. Therefore, p' passed from a node with height at least 
C — n to a node with height at most n. Also, every time p' was transferred between two nodes x 
and y, the fact that p' is in Case (ii) implies that \Hx — Hy\ < C/2n — n (where the heights are with 
respect to V). Therefore, since there are n — 2 internal nodes, it is not possible that V does not 
transfer any packets between the time p' is inserted by the Sender to the time p' is received by the 
Receiver. Afterall, this would require p' to pass between internal nodes that are within C/2n — n 
of each other's height (with respect to P), from a node of height at least C — n to a node of height 
at most n; which is impossible. Indeed, the formal proof demonstrates that V must transfer a lot 
of packets between the time p' is inserted by the Sender and the time it is received by the Receiver; 
in particular, we show that if there have been Q{nD) packets falling in Case (ii), then there have 
been at least Q{nD) packet transfers between nodes with respect to protocol V. Consequently, the 
argument used for Case (i) that F2 necessarily occurred can be applied here. ■ 
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Variable and Notation Definitions 

G = Network (graph) consisting of n nodes 

s,r = Sender, Receiver 

T = Transmission index 

C = Capacity of (internal) node's buffer; i.e. number of packets a node can store 

B = Capacity of each node to hold extraneous (control) information 

COPY = Buffer to store a copy of current codeword packets (in case trans, fails) 

D = ^ = Number of packets per codeword 

EN = List of Eliminated Nodes 

'ifu.v = Sum of £{xip)) for each packet p sent across E{u, v) 

'ifv.u = Sum of £{x{p)) for each packet p rec'd across E{v, u) 

'i/u = Sum of £{x{p)) for each packet p that u is storing at end of relevant trans. 

$u,D = (H, H') Cumm. ht. out H and ht. in H' of packets sent across E{u, v) 

^v,u = {H, H') Cumm. ht. in H and ht. out H' of packets ree'd across E{v, u) 

"I>u = Total potential drop caused by packet transfers across all edges adj. to u 

Gp = Ghost packet associated to p (See Internal Node Create Next Request in Fig. A. 6) 

H, H' = Number codeword packets node is storing (i.e. height) 

BBu = u's Broadcast Buffer 

BLu = u's version of the Blacklist 

DBs = Sender's Data Buffer, stores testimony packets (for eliminating corrupt nodes) 

SOT = Start of Transmission broadcast 

EOT = End of Transmission broadcast 

Q = First packet of the Start of Transmission broadcast 

SI, F2, F3, FA = Control Packets indicating Successful or Failed transmission, 

and the reason for failure 
p,p' = Codeword packets 

qi,q\ = Testimony packets or SOT/EOT packets 
92 , 92 = Packet that equals $!„ for some node w G G 

a, a' = Control Packet; contains info, about prev. packet transferred across an edge 
(7(q) = Generic variable indicating a signature on the indicated (control) packet a 
X = Error-Correction rate 

p = Participating list, i.e. nodes that were not on the blacklist at least one round 
F = Number of Failed transmissions since last node was eliminated 
Y = Set of packets (from current codeword) knowingly inserted by Sender 
Z = Set of packets (from current codeword) received by Receiver 



Figure A.l: Definition of Variables 

B Lemmas and Proofs 

In this section, we fill in the missing details in the analysis of our protocol of Section |3] by 
re-stating and proving rigorously all of the incomplete proofs. When appropriate, the proofs will 
refer to specific lines in the pseudo-code. 

Lemma B.l. In any transmission (regardless of the reason SI or F2-F4 that the transmission 
ended), the ideal off-line protocol can deliver at most G(n'^C) packets. If the transmission was 
successful (as in SI), then our protocol successfully delivered a message of Q{nC) packets. 



Proof. The intuition outlining the proof was provided in the proof of Lemma 13.51 Formally, our 
proof follows exactly the proof of Lemma D.4 in |18| . In particular, although the protocol presented 
in this paper handles malicious activity in a novel manner (which allowed the current protocol to 
enjoy a 0(n^) reduction in memory cost), the rules for routing codeword packets, maintenance of the 
blacklist, and the conditions under which a transmission ends are exactly the same for our protocol 
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Routing Rules for Node u £ G 

01 Input: 

02 {v,u,{p',H'),{qi,q'2),{a',a{a'))) ## Received From i; (via yt) 

03 {u,v, {p, H),{qi,q2), {a,a{a))) ## Preu request sent to v (via ^) 

04 DO: 

05 Process the packets (91,92) as in Process Control Packets below 

06 If a matches a' , (j{a') is valid: 

07 If u=s and Ready(u) is true and H' <C~n: ## (Sender) Insert Packet 

08 Add p to Y; Delete p from input stream {pi,p2, . . . } 

09 Increase $, by C - i/' - C/2n - 5n, Add H' to $«,„ 

10 Increase ^s,„ by £{x{p)) 

11 Else If u=r and Ready(ii) is true and H' >n: ## (Receiver) Receive Packet 

12 If p' ^ Z: Add p' to Z; Store/output p' as a packet successfully received 

13 Increase $,. by H' + C'/2n ~ 5n, Add H' to <l>„,r 

14 Increase ^„,r by ^(^(p)) 

15 Else If u^r, s, Ready(u) is true, and H > H' + C/2n - 2n: ## Send Packet 

16 Delete p and Gp and Fill Gaps ## Slide down (ghost) p's to fill gaps 

17 Increase ^u hy H - H' - 2n, Add {H, H') to $„,„ 

18 Increase *„,„ by £(x(p)), and set Hu — Hu — 1 

19 Else If u/r, s, Ready(u) is true, and H < H' — C /2n + 2n: ## Receive Packet 

20 Store p' in location occupied by Gp 

21 Increase $„ by H' - H ~ 2n, Add {H, H') to <E>„,„ 

22 Increase '^v,u by £(x(p)) and set Hu = -ffu + 1 

23 Send to A the returned value of Create Next Request 



Figure A. 2: Routing Rules 



24 If 



Ready(v) ## Called from node u 

(a) u does not have (JItjT) in BBu OR 

(b) u has (fii,!) with ^t = {\EN\, |BL[,F), but has not yet 
received the corresponding |_EAi'| + |ii?L| packets of SOT 

(see lines 35-36 in Fig. A.6) OR 

(c) u has rec'd complete SOT, but every packet hasn't yet 
passed across _E(ii, «) OR 

{A)u has EOT G BBu, but this has not yet passed across E{u,v) OR 

(e) u or V £ BLu or u G ENu OR 

(f) u knows some w to remove from BL, but hasn't yet passed 
this fact across E{u, v) 

25 Return False 

26 Else: Return True 



Figure A. 3: Rules Dictating if a Node is "Ready" to Transmit Codeword Packets 



and that of |18) (this can be verified by comparing the pseudo-code for our protocol in Appendix |X] 
with the pseudo-code for the protocol in [18]). Indeed, the only difference in routing rules for these 
two protocols is the kind of data stored in the control information (and how this information is used 
by the Sender to identify corrupt nodes). In particular, the argument in |18) that their protocol 
will end as in Case F2 by the time the ideal protocol can deliver Q{n?C) packets (as was sketched 
in the proof of Lemma 13.51 above) remains valid for our protocol. ■ 



Lemma [B . II demonstrates that our protocol is within a factor of n of the throughput performance 
of an ideal off-line protocol, at least for successful transmissions. The goal of this section will be to 
bound the number of /ai/ed transmissions by n^ (Lemma 13. 3p . The inability of our protocol to deliver 
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Process Control Packets for Internal Nodes and Receiver u 

01 Input: 

02 (gi, (?2) ## Received From v (via A) 

03 DO: 



04 
05 

06 
07 
08 
09 
10 
11 
12 
13 



14 
15 
16 
17 



Add 52 to BB^ ## qi^ = $„ for some w. Replace old value, provided 
Add Qi to BBu ## new value is larger. Also remember that edge E(u, v) 

## has transmitted this information 
If q'l — Qt is the first packet of the current SOT: 

Clear BLu 
If q'l is the final packet of the current SOT: ## u knows |50T| via Qj 

Reset Variables 
Else If gi = w ^ ENu denotes a node to eliminate: 

Add q[ to ENu 
Else li q'l — w denotes a node to blacklist: 
Add q'l to BLn 

## The following signed values refer to the trans. T' that u 
## was blacklisted (this information is available via SOT) 
If w = u, sign and add to BBu'- 

(a) (1 packet) "i/u and $„; 

(b) (n — 1 packets) For each v € G\u: {'i!u,v,'^v,u) and {^u,u,^u.v); 

(c) If u — r, include with (b) above: For each v £ G\u: $„ 



Process Control Packets for Sender 

18 Input: 

19 (gi,g2) ' ## Received From v (via A) 

20 DO: 

21 Add q'l to DBs, Add q'2 to BBs (see comments on lines 04-05 above) 

22 If q'l is the last missing testimony packet for some w G BLs'. 

23 Remove w from BLs, and add fact w ^ BL to BBs 



f i gure A. 4 : Rules for Processing Contro l I nfonnat i on 

Reset Variables for Internal Nodes ana Receiver u 

01 DO: 

02 Clear BBu (except testimony packets from nodes on BLu) 

03 Delete all packets from previous transmission 

04 Set *u = 0; $„ = 0; V?;: *„,„ = *„,„ = 0; ^u.u = 'i>u,v = 0; 

05 If u=r: Z = 0; Vn : $„ = 



Reset Variables for Sender 

06 DO: 

Set F = 0; $, = 0, \fv: $, 



07 
08 
09 
10 
11 



0,*. 







If line 25 of Fig. A. 6 was True for T: 
Fill buffer and COPY with new codeword packets 

Else If either Une 22 or 27 of Fig. A.6 was True for T: 
Re-Fill buffer with packets from COPY, leaving COPY unchanged 



Figure A. 5: Rules For Resetting Variables at the Start of each Transmission 



a message during failed transmissions will not affect the competitive analysis of it throughput, since 
Lemma [3.51 also bounds the progress of the ideal off-line protocol in failed transmissions by B(n^C) 
packets, and thus the (up to) n^C extra packets delivered by the ideal off-line protocol (up to 
n^C packets in each of the up to "n? failed transmissions) can be absorbed in the additive constant 
term g{n,C) in Definition 12. II of competitive-ratio. We show in Lemma lB.21 below that there can 
be at most n — 1 failed transmissions before the Sender necessarily has the testimonies from all 
nodes participating in one of these failed transmissions. We then prove the Sender can necessarily 
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Internal Node Create Next Request for E{u, v) 

01 DO: 

02 Select a testimony packet qi£BBu that hasn't yet crossed _E (it,?;), with priority: 

03 1) EOT; 2) SOT; 3) Node to remove from BL; 4) Testimony of node on BL„ 

04 If Ready(u) is true: 

05 Set new p ## Find highest p in buffer not already sent in a request to A. 



06 Set new Gr, 



## Reserve the highest non-filled spot of buffer 



_L 



07 Else set p -- 

08 Set new g2 ## Chosen from n's values of #„, in round-robin fashion on E(u,v] 

09 Set a = (*„,„,*„,„,$„,„,$„,„) 

10 Return {u, v, (p, H), {qi, 52), (a, cr(a))) 

Receiver Create Next Request for E{r,v) 

11 DO: 

12 If \Z\ = (1 — X)D ## R now has enough packets to decode codeword 

13 Decode and output message 

14 Form EOT: gi = "SI" 

15 Else If X^iugg'^"' — ^^ ##Too much potential drop: packet duplication has occurred 

16 Form EOT: gi = "F2" 

17 Else: 

18 Set gi as for Internal Nodes 

19 Set p, g2 ~ -L, and Set a as for Internal Nodes 

20 Return (r,v,(±,-^+3n),(gi,±),(a,a(a))) 

Sender Create Next Request for E{s, v) 

21 DO: 

22 If Sender can eliminate a node w: ## Based on testimony packet just rec'd 
Add {w,T) to ENs, clear BBs and DBs (including BLs but not ENs) 
Set f^T+i = (l£;iVs 1,0,0); Set F = 

Else If Sender received EOT="Sl": ##R was able to decode codeword 

Set n-,+^ = {\ENs\,\BLs\,F) 
Else If \Y\^D or Sender rec'd EOT ="F2": ##Failed trans, due to mal. activity 

Set F = F + 1 

Vtu ^ {BLs U ENs): Add w to pi and (m,T) to BLs 

Set Q-,+1 = {\ENs\,\BLs\,F) 
If transmission just ended: ##I.e. line 22, 25, or 27 was true 

Reset Variables for Sender; 

Set SOT to be the following <n packets, and add to BBs'. 
1) fii+i; 2) ENs; 3) BLs; 4) "T+1" (Timestamp) 



35 If Ready(u) is true: 

36 Set new p 

37 Else: Set p = _L 
38 
39 
40 
41 



## Find highest p in buffer not already sent in a request to A 



Set new gi: Choose control packet not yet transferred across E{s,v) by priority: 

1) SOT packet; 2) a node w to remove from BL; 3) 1. 
Set g2 and a as for Internal Nodes 

Return (s,v,(p,C+,f--3n).(qi.q2).{a,<y(a))) 



Figure A. 6: Rules For Finding Codeword Packet and Control Packet to Send 



eliminate a corrupt node from these testimonies via Lemmas IB. 3! and IB. 41 (which imply Lemma 13.4 
of Section [3.21). 



Lemma B.2. After a corrupt node is eliminated (or at the outset of the protocol) and before the next 
corrupt node is eliminated, there can be at most n-1 failed transmissions {Ti, . . . ,T„-i} before there 
is necessarily an index i£[l,n] such that the Sender has all testimonies from nodes participating in 



18 



Proof. The intuition for the proof is that the blacklist forces corrupt nodes to return their testimonies 
to the Sender if they want to further disrupt future transmissions. In particular, nodes for which the 
Sender is missing a testimony packet will not be allowed to transfer (codeword) packets in future 
transmissions, as they will be on the blacklist. Suppose for the sake of contradiction that there were 
n failed transmissions. The above paragraph means that for each failed transmission 1 < i < n, 
there is at least one node Ui such that the Ui participated in Tj and the Sender is missing a testimony 
packet from Ui corresponding to Tj. Since Ui cannot participate in any transmissions after this until 
he is cleared from the blacklist, it must be that |{ui}"^;^| = n. But this is a contradiction, since 
there are only n nodes in the network, and the Sender cannot equal Ui for any i since the Sender 
always has its own testimony packets. 

To formalize the above argument, let pj denote the set of nodes that participated in transmission 
T; i.e. the nodes on pj were not on the blacklist for at least one round of T. We begin with a simple 
observation: 

Observation. If w is put on the blacklist as on (A. 6. 29) at the end of some transmission T', 
then w will remain on the blacklist until: (1) A node has been eliminated (in some transmission 
T > T'); or (2) The Sender receives w's complete testimony for T'. In particular, w cannot 
appear on any participating list pj for T > T' until either (1) or (2) occurs. 

Proof. By investigating the pseudo-code, the only place nodes are removed from the blacklist 
are on (A. 4. 22-23) and (A. 6. 23). Notice that both of these can only occur in a transmission 
T > T', since w is added on the blacklist at the end of T' on (A. 6. 29); i.e. neither (A. 4. 22) 
nor (A. 6. 23) can be reached in T' after (A. 6. 29) has been reached. The first part of the 
observation is therefore true. The last part of the of the observation follows from the fact that 
for any transmission T > T', a node is only placed on pj if the node was not on the blacklist 
at some point of the transmission (see (A. 6. 29)). 

Suppose now for the sake of contradiction that we have reached the end of transmission T„, which 
marks the n transmission {Ti,...,T„} such that for each of these n failed transmissions, the 
Sender does not have the complete testimony from at least one of the nodes that participated in the 
transmission. Define the set S to be the set of nodes that were necessarily not on pj^, and initialize 
this set to be empty. 

Since the Sender is missing some node's complete testimony that participated in Ti, there is 
some node wi € pj-^ from which the Sender is still missing a testimony packet corresponding to Ti 
by the end of transmission T„_i. Notice by the observation above that wi will not be on pjf for any 
T2 < T' < T„_i, so put wi into the set S. Now looking at T2, there must be some node W2 G Pxj 
from which the Sender is still missing a testimony packet from T2 by the end of transmission T„__i. 
Notice that W2 7^ wi since wi ^ pj^, and also that W2 ^ Pt„_i (both facts follow from the above 
observation), so put W2 into S. Continue in this manner, until we have found the (n — 1)** distinct 
node that was put into S due to information the Sender was still missing by the end of T„_i. But 
then \S\ = n — 1, which implies that all nodes, except for the Sender, are not on pj^. 

We reach a contradiction by showing that transmission T„ cannot be a failed transmission (unless 
a corrupt node can be immediately identified). Recall that (other than case F4, when a corrupt 
node has been eliminated) there are two ways a transmission can fail: 1) F2, i.e. the Receiver has 
stored value ^^gg ^u > CD; and 2) F3, i.e. Sender has inserted D packets. However, both of these 
cases is impossible, since no node beside the Sender is on the participating list px„) and hence no 
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(honest) node should have transferred a packet, as hne (A. 3. 24) will fail for all honest nodes (if 
the Sender is the only node on px„) then all nodes except the Sender were on the blacklist for the 
entirety of T„, see (A. 6. 29)). Therefore, no honest nodes will transfer any codeword packets during 
T„, so the Sender has not inserted any packets and the Receiver has not received any packets, and 
any node u that reports a non-zero value for <!>„ is necessarily corrupt. ■ 

It remains to argue that if a transmission fails as in case F2 or F3 and the Sender has all of 
the testimonies for this transmission, then the Sender can necessarily identify a corrupt node. The 
intuition for how these two cases are proven was provided in Section 13. 2| here we provide the details 
of the proofs (we handle each case F2 and F3 separately in Lemmas IB. 31 and IB.4|) . 

Lemma B.3. Suppose transmission T failed and falls under case F2, and at some later time (after 
transmission T hut before any additional nodes have been eliminated) the Sender has received all of 
the testimony packets from all nodes on pj. Then the Sender can eliminate a corrupt node. 

Proof. The idea of the proof is as follows. Case F2 of transmission failure roughly corresponds to 
packet duplication: there is a node w € G who is jamming the network either by outputting duplicate 
packets or disobeying transfer rules (e.g. by transferring a packet from a node with small height to 
a node with large height). Using the testimonies for Case F2, which include nodes' signatures on 
the cumulative drop in height of each packet transfer, we will catch w by looking for a node that 
has inconsistencies in the reported values for this cumulative height drop. 

More specifically, since each packet starts with height at most C when it is inserted, and there 
have been fewer than D insertions in the current transmission (otherwise we would be in case 
F3), the cumulative recorded drop in height for packets in a given transmission should be bounded 
by CD (in the absence of malicious activity). However, the recorded cumulative drop that the 
Receiver has obtained via the {$«,} exceeds this amount, since we are in Case F2 (see (A. 6. 15-16) 
and (A. 6. 27)). In particular, there is a node creating duplicated packets or lying about height 
information when transferring packets. 

The formal proof that the signed testimonies {^I'u,!;} from CI-2 can be used by the Sender to 
identify a corrupt node follows exactly the proof of Lemma D.20 in [18j. Indeed, comparing the 
pseudo-code for our protocol (in Appendix |A|) with the pseudo-code for the protocol in J18j, the 
differences between the two protocols lies in the nature of control information CI-1, and consequently 
does not threaten the validity of the current proof. ■ 

Lemma B.4. Suppose transmission T failed and falls under case F3, and at some later time (after 
transmission T hut before any additional nodes have been eliminated) the Sender has received all of 
the testimony packets from all nodes on pj. Then the Sender can eliminate a corrupt node. 

Before proving Lemma IB. 41 we set the following notation. Recall first the notation used for 
control information CI-2: At the outset of each transmission T, the Sender has chosen a distribution 
Xj- D —7- [1..A;]. For each codeword packet p, we will write x{p) ^ ^atj i-^- we will view x ^-s mapping 
the i codeword packet to the characteristic vector in Z^ with a '1' in the x(^)* coordinatejj 

It will be convenient to introduce the following notational conventions that we will use for the 
remainder of this proof. First, we will usually ignore explicitly referencing the encryption scheme 
£; even though internal nodes will not be able to read the plaintexts of the encryptions they are 



®Here, N is chosen to be large enough such that A^ > 6nD + 18n* ~ SOn'^ + 6n^ — fl{n'^), a condition that will be 
necessary for Lemma IB. 101 
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storing (only the Sender can decrypt), it will be easier to write this proof as if the plaintexts (control 
information CI-2) were being stored in the clear. Note that this assumption is made purely for ease 
of notation: at no point will the proof rely on the ability of internal nodes to be able to decipher 
the plaintexts of any control information. 

Recall also the following notation, as defined in Figure A.l of Appendix lAl 

- ^u '■= Ylpeu^i^iP)) denotes the sum of x(p)i for each (current codeword) packet p that u is 
storing at the end of the current transmission 

- ^u,v represents the sum of £(xip)) foi' each packet p sent across E{u,v) 

- ^v^u represents the sum of £(x{p)) ^or each packet p received across E{v,u) 

Note that there is potential ambiguity in the notation ^u,v- it can either represent the values u 
has stored (with signatures from v) for packets sent from u to v; or it can represent the values 
V has stored (with signatures from u) for packets sent from u to v. If w and v are honest, these 
quantities will match. We use the following convention to demand that they match, so that there 
is no ambiguity: 

1. If the hamming distance between (the decrypted value of) ^v.u that u is storing and the one 
that V is storing is greater than one, then the Sender can immediately eliminate a corrupt 
node. Afterall, all nodes should be verifying the values sent by their neighbor are valid before 
communicating more packets with them (Figure A. 2. 06). So if u and v^s values for $j,_„ have 
hamming distance greater than one, the Sender can necessarily identify the node that returned 
the less recent value for ^u,v (control packets are time-stamped with the round) |j 

2. If the hamming distance between (the decrypted value of) ^v,u that u is storing and the one 
that V is storing is exactly equal to one, then the Sender sets the more out-dated value to the 
more current value, and also adjusts $^ of the appropriate node {w = u oi v) accordingly. 
For example, if v is the difference in the two values for $^_„ and u has the more currenl|f| 
timestamp, then the Sender sets u's value for ^v,u equal to «'s value and modifies <I>^ by v: 
$1, := <^t, -|- V (thus, the quantity ^v^u + ^v remains constant through these changeqj). 

The following lemma states that if a transmission fails as in Case F3, then with overwhelming 
probability (in the security parameter k) the testimonies will indicate that the distribution of packets 
inserted by the Sender is not matched by the distribution of the packets that are being stored by 
the internal nodes and the Receiver. 

For the remainder of this section, let s denote the Sender and r denote the Receiver. Also, when 
referring to a specific failed transmission, let V denote the set of nodes that participated in that 
transmission; i.e. the nodes on V were not on the blacklist for at least one round of that transmission. 

Lemma B.5. Suppose a transmission fails as in Case F3, and at some later point the Sender has 
collected all of the testimonies from all nodes participating in that transmission. If the Sender is 



^If the time-stamps indicate the two values for $„,„ are coming from the same round, then both u and v are 
corrupt. 

*If u and «'s returned values for ^v,u are both time stamped with the same round, then the Sender treats the 
value coming from the receiving node (in this case u) as the more current value. 

^In particular, in Lemma IB. 81 it does not matter if we use the present notational convention for ^v,u and $„ or 
the original values that were returned by v in its testimony packets. 
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not able to identify a corrupt node based on self -incriminating testimonies, then the probability that 
the following equality is satisfied is negligible in k: 



u&G\{r,s} ueG\{r,s} 

More precisely, ([2]) is satisfied with probability at most: 

Vek 



(2) 



{V2^) 



k-l 



(3) 



Proof. Fix a transmission that satisfies the hypotheses of the lemma, and let {<!?«, ^u,v}u,vev 
denote the testimonies the Sender has collected. Let TZ be the multi-set of packets that the Receiver 
received from the internal nodes (i.e. not the Sender) in the current transmission. Since the Receiver 
is honest, each contribution to YlueG\W s}^u,r can be ascribed to a specific packet p £ TZ; i.e. each 
time ^u^r increased by x(p)) the Receiver also received the corresponding packet p (see A. 2. 14 and 
A. 2. 18). Similarly, let S denote the multi-set of packets that the Sender inserted to an internal node 
(i.e. not to the Receiver), and each one of these will contribute exactly one to || ^ueV\irs}^s,u\\i, 
where || • ||-, on Z^ denotes the standard li norm: 

\\{vi,V2,...,Vk)\\-^ = \vi\ H h \Vk\, 

where Vi £ [0..N — 1] are the canonical representatives in Z^v- 
Let TZf] := S mZ. With this notation, we have that: 



Yl ^«'« =Y.^^p^ ^"^ Yl ^"'^ =Y^^^ 

u€V\{r,s} pes ue'P\{r,s} pGll 



(4) 



If the hypotheses of the lemma are true (i.e. no node can be eliminated by the Sender), then the 
following is necessarily true: 



Fact 1. (From Lemma [B. 9 1) Each coordinate of ^pg^ xip) is at least as big as each coordinate 
of E«eP\{r,s}^« + EpeTen ^(P) 
By Fact 1, for every i G [l.-A;], we can bound the number of packets p £ S such that x{p) = ^ by: 

\{p £ S \ xiP) = i}\ > Yl (^«)' + Y ^(^)i 

ueV\{r,s} peTln 

Therefore, we may choose a sub-(multi-)set Q C 5 of packets that satisfy: 



|Q| = l^n|+ Yl ^« 

ueV\{r,s} 

Y^^p^ = Y '^'^ + Y ^(^) 

peQ ueV\{r,s} peTZn 



and 



(5) 



22 



Consequently, we have that: 

ueV\{r,s} u£V\{r,s} 

Yl x(^) + Yl ^(^) = Y^^ + Yl ^(^) + Yl ^(^) ^ 

peS\Q p&Q ueV\{r,s} p&ln pe7^\7^n 

pe5\s pe7^\7^n 

Notice that = (5 \ Q) Pi (7^ \ T^n) by construction of T^n- Since the distribution x is chosen so 
that x{p) is uniformly random in [1..A:] for each packet p, the quantity on the left-hand side of ([6]) 
is completely random, and it is independent from the quantity on the right-hand side because the 
(multi-)sets S\Q and TZ \ TZd are disjoint (and no node except the Sender has any knowledge of 

X)- 

Therefore, the probability that the equality in ([6| holds is bounded by the probability that a 
random distribution on \S \ Q\ items produces the distribution described by the right-hand side 
of ©. Intuitively, the Adversary's probability of making the distribution on the right-hand side 
of ([6]) match the left-hand side is equivalent to the probability of correctly predicting the outcome 
distribution of an experiment in which m balls are distributed into k buckets, where each of the 
Tn = |5\Q| balls are assigned a bucket uniformly at random. We bound this probability by - — k-i 

in Lemma iB.llj^^l ■ 

Lemma B.6. Suppose transmission T failed and falls under case F3, and the Sender has obtained 
all of the relevant testimonies. Then with overwhelming probability, either the transmission ended 
as in Case F2 or there exists (at least) one node u &V\{r,s} who has returned a testimony that 
is either self-incriminating or obeys: 

(0,...,0) / $„+ Y i^u,v-^v,u) (7) 

vev\u 

Proof. By Lemma [B. 5 1 if the Sender is not able to identify a node as corrupt because the transmission 
failed as in Case F2 or based on a self-incriminating testimony, then Lemma [B. 51 states that (|2|) will 
not be satisfied (with overwhelming probability). But if ([2]) is not satisfied, then: 

(0,...,0) / Y ^« + Y i^n,r-^s,u) (8) 

ueV\{r,s} MeP\{r,s} 

Also, by symmetry we have the trivial identity: 



(0,...,0)= Y Y i^u,v-^v,u) (9) 

u(i'P\{r,s} ti£'P\{'U,r,s} 



^"^Notice that \S\ Q\ does not appear anywhere in ((3]). Although the exact probability does depend on \S\ Q|, the 
bound in ([3| is valid as long as |5 \ Q| > k. Note that this is necessarily the case, as for all nodes u, if ||$u||i > C, 
then u can be identified as corrupt (since ||f (x(p))l|i — 1 for ^-U packets p, and all nodes are allowed to store at most 
C packets at any time). Therefore, as long as k £ 0{n?), we have that |5 \ Q| > fc, since being in Case F3 implies 
that |<S \ Qj > (AD — (n — 2)C) (the Sender inserted all D packets means \S\ = D) and the Receiver could not decode 
means 7?,n < (1 — A)D). 
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Combining ([8} and ([9} and using the fact that ^r,u = = ^u,s for all u (since the Sender never 
receives a packet and the Receiver never sends a packet), with overwhelming probability: 

{o,...,o) ^Y. '^^ +Y1 5Z ('^".'' - '^-.") (10) 

ue'P\{r,s} ueV\{r,s} veVXu 

An averaging argument applied to pop guarantees that there is some node u G V\{r,s} such that: 

(0,...,0) / $„+ ^ ($n,^, - ^^,n) , 

vep\u 
as required. ■ 

Lemma B.7. Suppose transmission T failed and falls under case F3, and the Sender has obtained all 
of the relevant testimonies. Then with overwhelming probability, the Sender can identify a corrupt 
node. 

Proof. By Lemma IB.6| if the Sender cannot identify a corrupt node as in Case F2 or via a self- 
incriminating testimony, then with overwhelming probability, there exists some node n G P \ {r, s} 
whose testimony satisfies ([7|. Intuitively, such a node u £ G is corrupt since the collection of 
packets that u is storing at the end of the transmission together with the packets that u sent to 
its neighbors does not match the collection of packets received by u from its neighbors. A rigorous 
proof that such a node u is corrupt is provided in Lemma IB. 81 ■ 

Lemma B.8. The distribution of packets (corresponding to the current codeword) that have been 
transferred out of u during any transmission is equal to the distribution of packets received into u 
minus the packets that u is storing at the end of the transmission. In particular: 

iO,...,0) = <^u + Yl i^u,v-^v,u) (11) 

v&VXu 

Proof. Intuitively, this lemma says that for every packet an honest node receives, that packet will 
either have been transferred (exactly once) to an adjacent node, or the packet will still be in one of 
the node's buffers at the end of the transmission. This lemma follows from lines A. 2. 07-22 and the 
fact that a node never sends the same (copy of a) packet to multiple neighbors (A. 6. 05). ■ 

Lemma B.9. // (llip is true for all nodes u £ V \{r, s}, then: 

Y^iv) = E "^^ + E^(^) (12) 

pes u£V\{r,s} pen 

In particular, each coordinate of^ ^^xip) ^^ ^^ least as big as each coordinate of "^ueVMr s\^u + 

Proof. Consider: 

(0,...,0) = E E i'^u,v - '^v,u) => 

ueVvevXu 

ueV\{r,s} vGV\u vGP\r vGVXs 

ueV\{r,s} veV\u p&l pes 
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where the first equahty is by symmetry; the second comes from the first by separating terms and 
noting that ^^.u = = ^u,s for all u (since the Sender never receives a packet and the Receiver 
never sends a packet); and the third comes from the definition of TZ and S (see the first paragraph 
of the proof of Lemma IB. Sp . Therefore: 

(0,...,0) = J^ $n + ^ J2 {'^u,v - <^v,u) => 

ue'P\{r,s} ueV\{r,s} veV\u 

(o,...,o) = Y, ^u + J2^(p) - E^(^) 

u£P\{r,s} p&l pes 

where the first equality comes from the fact that (|lip is true for all nodes u £ V \{r,s}; and the 
second equality comes from the first via (|13p . ■ 



Lemma B.IO. For any honest node u € G, if at any time there exists any node v £ G such that a 
coordinate of ^^^^ (or ^u,v) is N — 1, then necessarily a corrupt node can be identified. 

Proof We choose N large enough so that if any honest node has exchanged A^ packets with a 
neighbor, then these N packet transfers (each of which causes a potential drop of at least \H' — H\ > 
C/2n — 2n) in aggregate will correspond to a potential drop of at least CD, in which case a 
corrupt node can be identified as is done for Case F2 of transmission failure. Thus, we require 
N{C/2n - 2n) > CD, which happens if iV > 3nD (this uses the fact that C > I2n^). ■ 

Lemma B.ll. Let m,k,N he positive integers with N > m > k. Let W C Z^ be the subset of 
vectors v G Z^ such that ||v|L = m. Let X be a random variable defined by: 

m 



X:=E*^Y., (14) 



where Gj G Z^ is the characteristic vector with a '1' in the j*'^ position, and {Yj} are independent 
random variables satisfying Pr[Yi = j] = 1/k (for any j E [l..A;]j. For any fixed element v G Z^, 
the probability that X = v is maximal if 'v = {m/k, m/k, . . . , m/k)}^ and for this v, the probability 
that X = V is bounded from above by: 



27r) 

Proof For any random vector v = (ni, n2, • • • , n^) with ^^ Ui = m. Lemma IB. 121 below shows the 
probability X = v obeys: 

Pr[X = v] = (-^] , 7' r (16) 

By LennTLa [B.13l below. (|16p is maximized if \ni — nj\ < 1 for all pairs {i,j), in which case Ui > [m/k\ 



^^The hypotheses of the lemma do not assume k\m; when this is not the case, interpret v = {m/k, m/k, . . . , m/k) 
to mean v = ( [m/fcj , . . . , [m/fcj , \m/k'\ , . . . , [tti/Zc] ), where the number of terms equal to [m/fe] is the remainder of 
m divided by k. 
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for all i, and then plugging this into (116 

Pr[X = v] = 



1 \ ml 



< 



k'^ J ni!n2! • • ■ n^! 
1 \ ml 



k^J (["J!)* 



— \ Um I / ^ ^ I m |\ A; ' ^ ' 



where the final inequality is via Stirling's Formula. Since the quantity on the right side of (|17p is 
monotone decreasing as m increases (for fixed k >1), the probability is maximal for m, = k (given 
the constraint m > k), and then ([17]) becomes: 



Pr[X = v] < — ^^, (18) 



as claimed. 



Lemma B.12. Let X be a random variable as described in the hypothesis of Lemma \B.ll\ For any 
random vector v = (ni, 712, ...,71^) with ^^ tij = m, the probability X = v obeys: 



m \ ( m — ni \ I m — ni — n2- ■ ■ — ?i-fc-i 



, n\ \ no \ Uk 
Pr[X = V] = ^^-1^ '-^ )^ '- ^ (19) 

1 \ ml 



k"^ J niln2l . . . Ukl 

Proof. Consider the following scenario: m (unlabelled) balls are to be partitioned into k labelled 
buckets, where each ball is assigned a bucket in a uniformly random manner. At the end of this 
experiment, we may express the distribution of balls in buckets as the fc-tuple: (ni, 71-2, . . . , n^) G Z^, 
where tt-j denotes the number of balls that ended up in bucket i. It is clear that such an experiment 
describes the random variable X, that is, for any v S Z^ with m = Y2i=i '^i' ^^ have that the above 
experiment results in the distribution v with the same probability that X = v. Therefore, we prove 
the bound in (|19p in terms of the scenario of partitioning m (unlabelled) balls into k (labelled) 
buckets. 

Let V = (ni,n2, . . . ,nk) be fixed, and we determine the probability that the experiment will 
result in the distribution of balls in buckets as described by v. The fact that this probability is as 
described in (|19p comes from a counting argument: the first term in the numerator is the number of 
ways Hi balls can be chosen from m balls to be assigned to the first bucket; the second term counts 
the number of ways n2 balls can be chosen from the remaining m — ni balls to be assigned to the 
second bucket; and so on. The denominator of the right-hand side of (|19p counts the total number 
of ways m, balls can be distributed among k buckets. The second equality is a straightforward 
computation. ■ 

Lemma B.13. For positive integers m,k and a sequence of non-negative integers {njjJL]^ satisfying 
m = X]i=i "-«; ^^^ quantity (ni!n2! . . . n^.!) is minimized if |nj — nj\ < 1 for all pairs {i,j)- 

26 



Proof. (Proof by contradiction.) Suppose that there is a sequence {rii, . . . ,nk} that achieves the 
minimal value for (ni!n2! . . . n^!) and yet does not satisfy the hypothesis that \ni — nj\ < 1 for 
all pairs (i, j). In particular, let i and j be such that rii — rij > 2, and let M = ni!n2! . . . n^! 
denote the minimal value obtained by this sequence {rii, . . . , n^}. But this leads to a contradiction, 
since a lower minimum can be obtained from the sequence {n'^^n^, • • • , n.'^} satisfying: n'^ = rii — Ij 
n'- = rij + 1, and n'^ = rii for all other values of / G [l../c]. ■ 
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